Check that SVGImage is loaded in ImageNotifyFinished()

third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp

Index: third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp
diff --git a/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp b/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp
index 07080c840278229a7e29a82ee6df1c69ff602606..2fc251f94586049ee78ff5c58c9a76e7a23845db 100644
--- a/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp
+++ b/third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp
@@ -121,13 +121,24 @@ bool SVGImage::IsInSVGImage(const Node* node) {
   return page->GetChromeClient().IsSVGImageChromeClient();
 }
 
+void SVGImage::CheckLoaded() const {
+  CHECK(page_);
+
+  LocalFrame* frame = ToLocalFrame(page_->MainFrame());
+
+  // Failures of this assertion might result in wrong origin tainting checks,
+  // because CurrentFrameHasSingleSecurityOrigin() assumes all subresources of
+  // the SVG are loaded and thus ready for origin checks.
+  CHECK(frame->GetDocument()->LoadEventFinished());
+}
+
 bool SVGImage::CurrentFrameHasSingleSecurityOrigin() const {
   if (!page_)
     return true;
 
   LocalFrame* frame = ToLocalFrame(page_->MainFrame());
 
-  CHECK(frame->GetDocument()->LoadEventFinished());
+  CheckLoaded();
 
   SVGSVGElement* root_element =
       frame->GetDocument()->AccessSVGExtensions().rootElement();